b'MEMORANDUM FOR KATHERINE ARCHULETA\n               Director\n\nFROM:                   PATRICK E. McFARLAND\n                        Inspector General\n\nSUBJECT:                Status of Cloud Computing Environments within OPM (Report No.\n                        4A-CI-00-14-028)\n\n\nThe purpose of this memorandum is to communicate to you the results from our review of the\ncontracts for cloud computing information systems used by the U.S. Office of Personnel\nManagement (OPM). We submitted our conclusions and recommendations to OPM\xe2\x80\x99s Office of\nthe Chief Information Officer (OCIO) representatives to elicit their comments. The OCIO\xe2\x80\x99s\ncomments are included within this memorandum.\n\nExecutive Summary\nOur review indicated that the language in OPM\xe2\x80\x99s current cloud computing contracts does not\nadhere to established best practices. We also determined that the Cloud Service Providers (CSP)\nhosting OPM systems are not certified or authorized in accordance with the Federal Risk and\nAuthorization Management Program (FedRAMP) requirements.\n\nAs a result, we recommend that the contract language for cloud computing services be updated,\nand that OPM contract only with CSPs that are in compliance with FedRAMP.\n\nBackground\nThe OPM Office of the Inspector General (OIG) volunteered to participate in a government-wide\nreview of cloud computing environments that was led by the Council of Inspectors General on\nIntegrity and Efficiency. The review had two main purposes: 1) to review current agency cloud\ncomputing contracts for compliance with best practices established by the Chief Information\nOfficers (CIO) Council and Chief Acquisition Officers Council and, 2) to determine if agency\nsystems used FedRAMP to acquire and authorize cloud services.\n\nScope and Methodology\nTo perform our review we evaluated the contracts for a sample of OPM information systems that\nuse CSPs to host applications. We also interviewed individuals from OPM\xe2\x80\x99s Contracting Office,\nprogram office officials that use cloud-based systems, and OPM\xe2\x80\x99s Chief Information Security\nOfficer.\n\x0cHonorable Katherine Archuleta                                                                     2\n\n\nOur review was not conducted in accordance with Generally Accepted Government Auditing\nStandards (GAGAS). The nature and scope of the work performed was consistent with that\nexpected of a GAGAS audit; however, because we consider this to be a review, the\ndocumentation, reporting, and quality control standards are not as stringent.\n\nReview Results\nOur review indicated that OPM\xe2\x80\x99s cloud computing contracts do not adhere to established best\npractices. We also determined that CSPs hosting agency systems are not certified or authorized\nby FedRAMP.\n\na) Cloud Service Provider Procurement and Contract Formation\n  The CIO Council and Chief Acquisition Officers Council published a document titled\n  \xe2\x80\x9cCreating Effective Cloud Computing Contracts for the Federal Government\xe2\x80\x9d that establishes\n  best practices for acquiring information technology (IT) as a service. The document\n  establishes the following areas that should be addressed when creating a cloud computing\n  contract:\n  \xe2\x80\xa2   Selecting a cloud service;\n  \xe2\x80\xa2   CSP and end-user agreements;\n  \xe2\x80\xa2   service level agreements;\n  \xe2\x80\xa2   CSP, agency, and integrator roles and responsibilities;\n  \xe2\x80\xa2   standards;\n  \xe2\x80\xa2   security;\n  \xe2\x80\xa2   privacy;\n  \xe2\x80\xa2   e-discovery;\n  \xe2\x80\xa2   Freedom of Information Act; and\n  \xe2\x80\xa2   federal e-records management\n\n  We reviewed a sample of agency cloud computing contracts and determined that none of them\n  incorporated all of these best practices. Over the last few years, the OCIO has worked with\n  the Contracting Office to incorporate new language into contracts for IT services to enforce\n  Federal Information Security Management Act requirements. However, the new language\n  does not adequately address cloud services for the areas listed above.\n\n  Failure to incorporate cloud specific language into agency contracts has multiple risks. For\n  instance, there is an increased risk that data ownership is not adequately established, which\n  could allow a cloud provider to have unnecessary access to sensitive federal data. Also,\n  failure to define security standards and testing requirements increases the risk of a data\n  breach, which could lead to the loss or corruption of sensitive federal data.\n\n  Recommendation 1\n  We recommend that the OCIO work with OPM\xe2\x80\x99s Contracting Office to review cloud\n  computing contract best practices, and incorporate appropriate language into future contracts\n  for cloud services. We also recommend that the Contracting Office assess the feasibility of\n  incorporating the updated contract language into existing contracts for cloud services.\n\x0cHonorable Katherine Archuleta                                                                       3\n\n\n  OCIO Response:\n  \xe2\x80\x9cThe CIO believes that while existing security contract language that goes into all IT\n  contracts [is] aligned with OPM security policy and FISMA requirements, it would enhance\n  security to incorporate additional language to specifically address Cloud environments.\xe2\x80\x9d\n\n  OIG Reply:\n  As part of the recommendation resolution process, please provide OPM\xe2\x80\x99s Internal Oversight\n  and Compliance division with evidence supporting the corrective action taken.\n\nb) FedRAMP Compliance\n  In December 2011, the Office of Management and Budget (OMB) released a memorandum\n  addressing the security authorization process for cloud computing services. The memorandum\n  requires all federal agencies to use FedRAMP when procuring and subsequently authorizing\n  cloud computing solutions effective June 5, 2014. Specifically, each agency must do the\n  following:\n  \xe2\x80\xa2   Use FedRAMP when authorizing cloud services;\n  \xe2\x80\xa2   Use the FedRAMP process and security requirements as a baseline for authorizing cloud\n      services;\n  \xe2\x80\xa2   Require CSPs to comply with FedRAMP security requirements;\n  \xe2\x80\xa2   Establish a continuous monitoring program for cloud services;\n  \xe2\x80\xa2   Ensure that maintenance of FedRAMP security authorization requirements is addressed\n      contractually;\n  \xe2\x80\xa2   Require that CSPs route their traffic through a Trusted Internet Connection; and\n  \xe2\x80\xa2   Provide an annual list of all systems that do not meet FedRAMP requirements to OMB.\n\n  We determined that no OPM cloud-based systems are currently using FedRAMP approved\n  CSPs. However, several systems are using FedRAMP accredited third party assessment\n  organizations to perform security control testing. While this type of testing does not satisfy\n  FedRAMP requirements, it provides an additional level of assurance that the systems\xe2\x80\x99 security\n  controls are adequately tested.\n\n  We reviewed OPM\xe2\x80\x99s Information Security and Privacy Policy Handbook to determine what\n  guidance is available related to cloud computing. While cloud computing is addressed,\n  FedRAMP requirements are not incorporated into OPM policy or procedures. We were told\n  that the OCIO is in the process of updating the Information Security and Privacy Policy\n  Handbook and that FedRAMP will be addressed, but they are not complete at this time.\n  Failure to comply with FedRAMP requirements increases the risk that information systems\xe2\x80\x99\n  security controls will not be adequately tested, which could lead to a data breach and the loss\n  or corruption of sensitive federal data.\n\n  Recommendation 2\n  We recommend that the OCIO update its cloud computing policies and procedures to\n  incorporate FedRAMP requirements.\n\x0cHonorable Katherine Archuleta                                                                4\n\n\n\n  OCIO Response:\n  \xe2\x80\x9cCloud Computing security policies are documented in the OPM Security Handbook. The\n  available FedRAMP material on cloud computing [consists] of procedures and templates\n  which typically would not be added to a security policy. We will review the FedRAMP\n  Material and make a determination how best to incorporate [it] into OPM security\n  procedures.\xe2\x80\x9d\n\n  OIG Reply:\n  While we agree that cloud computing security policies are documented in the OPM\n  Information Security and Privacy Policy Handbook, FedRAMP requirements are not\n  addressed. At a minimum, we would expect the policy to require all agency systems to use\n  FedRAMP compliant CSPs when acquiring cloud services.\n\n  Recommendation 3\n  We recommend that the OCIO require all program offices with cloud-based systems to use\n  CSPs that are FedRAMP compliant.\n\n  OCIO Response:\n  \xe2\x80\x9cIt\xe2\x80\x99s our policy to use FedRAMP Cloud Service Providers (CSP) for new or renewing cloud\n  services when feasible. FedRAMP CSPs are currently accredited at the FIPS-199 moderate\n  level and therefore cannot host OPM\xe2\x80\x99s high systems. There is also the issue [of] FedRAMP\n  delays in [processing] applications for new cloud services and the impact on the ability for\n  program offices to execute their missions. We have approached FedRAMP in the past to\n  host OPM systems and [were] told that it would take almost a year to join the program\n  because of a backlog of agencies waiting to join the program.\xe2\x80\x9d\n\n  OIG Reply:\n  We understand that the process for a CSP to obtain FedRAMP compliance takes time and that\n  it may be difficult for a program office to change CSPs. However, the OMB memorandum\n  establishing FedRAMP and the requirement that each agency use FedRAMP compliant CSPs\n  was published in December 2011. The intent of the recommendation is for OPM to enforce\n  the requirements established by OMB.\n\x0cHonorable Katherine Archuleta                                                                5\n\n\nPlease contact me on 606-1200 if you have any questions, or your staff may wish to contact\nMichael R. Esser, Assistant Inspector General for Audits, on          .\n\ncc:    Ann Marie Habershaw\n       Chief of Staff and Director of External Affairs\n\n       Donna K. Seymour\n       Chief Information Officer\n\n       Mark W. Lambert\n       Associate Director\n       Merit Systems Accountability and Compliance\n\n       Janet L. Barnes\n       Director\n       Internal Oversight and Compliance\n\n\n       Chief, Policy and Internal Control\n\x0c'